CVE-2024-13887
📋 TL;DR
This vulnerability allows unauthenticated attackers to upload arbitrary images to WordPress listings via the Business Directory Plugin. All WordPress sites using this plugin up to version 6.4.14 are affected. Attackers can inject malicious images without requiring any authentication.
💻 Affected Systems
- Business Directory Plugin – Easy Listing Directories for WordPress
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Attackers upload malicious images containing hidden malware, phishing content, or inappropriate material that appears on legitimate business listings, damaging reputation and potentially infecting visitors.
Likely Case
Spammers upload promotional or malicious images to hijack legitimate business listings for advertising or phishing campaigns.
If Mitigated
With proper monitoring and content review, unauthorized images are detected and removed before causing significant harm.
🎯 Exploit Status
The vulnerability requires no authentication and involves simple HTTP requests, making exploitation trivial for attackers.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 6.4.15 or later
Vendor Advisory: https://plugins.trac.wordpress.org/changeset/3249927/business-directory-plugin/trunk/includes/class-wpbdp.php
Restart Required: No
Instructions:
1. Log into WordPress admin panel. 2. Navigate to Plugins. 3. Find Business Directory Plugin. 4. Click Update Now to version 6.4.15+. 5. Verify update completes successfully.
🔧 Temporary Workarounds
Disable vulnerable AJAX endpoint
allTemporarily disable the vulnerable ajax_listing_submit_image_upload function via plugin hooks
Add to theme's functions.php: add_filter('wpbdp_ajax_listing_submit_image_upload', '__return_false');
🧯 If You Can't Patch
- Disable the Business Directory Plugin entirely until patched
- Implement strict file upload restrictions at web server level (Apache/Nginx) to block image uploads to vulnerable endpoints
🔍 How to Verify
Check if Vulnerable:
Check WordPress admin panel > Plugins > Business Directory Plugin version. If version is 6.4.14 or lower, you are vulnerable.Check Version:
wp plugin list --name='Business Directory Plugin' --field=versionVerify Fix Applied:
After updating, verify plugin version shows 6.4.15 or higher in WordPress admin panel.📡 Detection & Monitoring
Log Indicators:
- Unusual POST requests to /wp-admin/admin-ajax.php with action=wpbdp-ajax&action=listing_submit_image_upload
- Multiple image uploads from single IP addresses
- Uploads of non-standard image file types
Network Indicators:
- HTTP POST requests to admin-ajax.php with image upload parameters from unauthenticated sources
SIEM Query:
source="web_server_logs" AND uri="/wp-admin/admin-ajax.php" AND method="POST" AND params.action="wpbdp-ajax" AND params.subaction="listing_submit_image_upload"